This is an automated email from the ASF dual-hosted git repository.
cmcfarlen pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 7055283e8a server.honor_cipher_order: Clarify documentation (#12416)
(#12420)
7055283e8a is described below
commit 7055283e8a141af183b384e2e1a6ac846067667c
Author: Brian Neradt <[email protected]>
AuthorDate: Mon Aug 4 19:54:12 2025 -0500
server.honor_cipher_order: Clarify documentation (#12416) (#12420)
Clarify in records.yaml.en.rst that server.honor_cipher_order controls
TLS server preference for TLS groups and signature algorithms in
addition to ciphers.
This also makes use of the SSL_OP_SERVER_PREFERENCE instead of the
misleading SSL_OP_CIPHER_SERVER_PREFERENCE when available.
Fixes: #12382
(cherry picked from commit a5beffc4f108362a33c928f15e55d770e9031521)
---
doc/admin-guide/files/records.yaml.en.rst | 6 ++++--
src/iocore/net/SSLConfig.cc | 9 +++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/doc/admin-guide/files/records.yaml.en.rst
b/doc/admin-guide/files/records.yaml.en.rst
index 032894c564..7052a3105a 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3709,8 +3709,10 @@ SSL Termination
.. ts:cv:: CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
- By default (``1``) |TS| will use the server's cipher suites preferences
instead of the client preferences.
- By disabling it (``0``) |TS| will use client's cipher suites preferences.
+ By default (``1``) |TS| will use the server's preferences for cipher
suites, supported groups, and
+ signature algorithms instead of the client preferences. By disabling it
(``0``) |TS| will use the
+ client's preferences. Note that despite the configuration name mentioning
"cipher_order", this
+ setting controls server preference for multiple aspects of TLS negotiation,
not just cipher suites.
.. ts:cv:: CONFIG proxy.config.ssl.server.prioritize_chacha INT 0
diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index fdd7ea7c9d..75dcac9d20 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc
@@ -459,12 +459,17 @@ SSLConfigParams::initialize()
ats_free(clientALPNProtocols);
}
-#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+#if defined(SSL_OP_SERVER_PREFERENCE) ||
defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
REC_ReadConfigInteger(option, "proxy.config.ssl.server.honor_cipher_order");
if (option) {
+ // Prefer the newer, more accurately named flag when available.
+#ifdef SSL_OP_SERVER_PREFERENCE
+ ssl_ctx_options |= SSL_OP_SERVER_PREFERENCE;
+#else
ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
- }
#endif
+ }
+#endif // defined(SSL_OP_SERVER_PREFERENCE) ||
defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
#ifdef SSL_OP_PRIORITIZE_CHACHA
REC_ReadConfigInteger(option, "proxy.config.ssl.server.prioritize_chacha");
